-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:36                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          ntop port allows remote and minor local compromise

Category:       ports
Module:         ntop
Announced:      2000-08-14
Credits:        Discovered during internal auditing
Affects:        Ports collection prior to the correction date.
Corrected:      2000-08-12 (However see below)
Vendor status:  Contacted
FreeBSD only:   NO

I.   Background

ntop is a utility for monitoring and summarizing network usage, from
the command-line or remotely via HTTP.

II.  Problem Description

The ntop software is written in a very insecure style, with many
potentially exploitable buffer overflows (including several
demonstrated ones) which could in certain conditions allow the local
or remote user to execute arbitrary code on the local system with
increased privileges.

By default the ntop port is installed setuid root and only executable
by root and members of the 'wheel' group. The 'wheel' group is
normally only populated by users who also have root access, but this
is not necessarily the case (the user must know the root password to
increase his or her privileges). ntop allows a member of the wheel
group to obtain root privileges directly through a local exploit.

If invoked in 'web' mode (ntop -w) then any remote user who can
connect to the ntop server port (which is determined by local
configuration) can execute arbitrary code on the server as the user
running the ntop process, regardless of whether or not they can
authenticate to the ntop server by providing a valid username and
password.

This will not necessarily yield root privileges unless ntop -w is
executed as root since by the time it services network connections the
program has dropped privileges, although it retains the ability to
view all network traffic on the sampled network interface (instead of
just the connection summaries which ntop normally presents). However,
since ntop is not executable by unprivileged users, it is likely that
the majority of installations using 'ntop -w' are doing so as root, in
which case full system compromise is directly possible.

The ntop port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains nearly 3700 third-party applications in a ready-to-install
format. The ports collections shipped with FreeBSD 3.5 and 4.1
contain this problem since it was discovered after the releases.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

Local users who are members of the wheel group can obtain root
privileges without having to pass through the normal system security
mechanisms (i.e. entering the root password). If ntop is run in "web"
mode (ntop -w) then remote users who can connect to the ntop server
port can also execute arbitrary code on the server as the user running
ntop -w (usually root).

If you have not chosen to install the ntop port/package, then your
system is not vulnerable to this problem.

IV.  Workaround

1) Remove the setuid bit from the ntop binary so that only the
superuser may execute it. Depending on local policy this vulnerability
may not present significant risk.

2) Avoid using ntop -w. If ntop -w is required, consider imposing
access controls to limit access to the ntop server port (e.g. using a
perimeter firewall, or ipfw(8) or ipf(8) on the local machine). Note
that specifying a username/password access list within the ntop
configuration file is insufficient, as noted above. Users who pass the
access restrictions can still gain privileges as described above.

V.   Solution

Due to the lack of attention to security in the ntop port no simple
fix is possible: for example, the local root overflow can easily be
fixed, but since ntop holds a privileged network socket a member of
the wheel group could still obtain direct read access to all network
traffic by exploiting other vulnerabilities in the program, which
remains a technical security violation.

The FreeBSD port has been changed to disable '-w' mode and remove the
setuid bit, so that the command is only available locally to the
superuser. Full functionality will be restored once the ntop
developers have addressed these security concerns and provided an
adequate fix - this advisory will be reissued at that time.

To upgrade your ntop port/package, perform one of the following:

1) Upgrade your entire ports collection and rebuild the ntop port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntop-1.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntop-1.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/ntop-1.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntop-1.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/ntop-1.1.tgz

NOTE: It may be several days before updated packages are available. Be
sure to check the file creation date on the package, because the
version number of the software has not changed.

3) download a new port skeleton for the ntop port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOZh1m1UuHi5z0oilAQFcIgQArlP0hzT+scsGxjI7wTWXh5fgm5E+CFh0
EfeIvYgGCzsCCCAS0nm3vo+a1IUxloJdk27K2oO4aCjTLy+gLe/vnW28gWn9dzle
nIyUDFudMpsx/WpO4F4UkMPTX+w0fiWpNvY2KddjwOeBn2xhRJik9ZVTMpc7zTe6
+2DGgV9jAnM=
=9UuJ
-----END PGP SIGNATURE-----
